client and a passworc 



What is claimed is: 

1 . In a computing environment having a connection to a network, a computer program 
product for securely propagating security credentials from a trusted master registry, the computer 
program product embodied on one or more computer-readable media and comprising: 

computer-readable program code means for establishing a secure connection between a 

synchronization agent (PSA); 
computer-rea iable program code means for transmitting an identifier of a user and an 
identifying secret of t le user to the PSA; 

computer-reai iable program code means for validating the user with the trusted master 
registry using the trar smitted user identifier and identifymg secret; and 

computer-reac able program code means for propagating the identifying secret of the user 
to one or more target registries if the validation succeeds. 

2. The computer program product according to Claim 1, further comprising: 
computer-readable program code means for establishing a second secure connection 

between the PSA and fiie trusted master registry; and 

computer-readable program code means for using the second secure connection for the 
validating of the user. 



3. The computer program product according to Claim 1, fiirther comprising: 

computer-readable program code means for establishing additional secure connections 
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3 between the PSA and each of the target registries; and 

4 computer-readable program code means for using the additional secure connections for 

5 the propagating of the identifying secret. 

1 4. The computer program product according to Claim 1, wherein the master registry stores 

2 password synchroni^tion policy information, and wherein the computer-readable program code 

3 means for propagating the identifying secret fiirther comprises computer-readable program code 

4 means for identifying the target repositories using the stored password synchronization policy 

5 information for the userA 

1 5. The computer program product according to Claim 1, wherein the master registry stores 

2 password synchronization policy information, and wherein the computer-readable program code 

3 means for propagating the identifying secret further comprises computer-readable program code 

4 means for identifying the target repositories using the stored password synchronization policy 

5 information for a user group on which the user is a member. 

1 6. The computer program product according to Claim 1, wherein the computer-readable 

2 program code means for establishing the secure connection fiirther comprises computer-readable 

3 program code means for authenticating the PSA to the client. 

1 7. The computer program product according to Claim 2, wherein the computer-readable 
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2 program code means for establishing the second secure connection forther comprises computer- 

3 readable programlcode means for authenticating the master registry to the PSA. 

1 8. The compdter program product according to Claim 3, wherein the computer-readable 

2 program code means for establishing additional secure connections further comprises computer- 

3 readable program cAde means for authenticating the one or more target registries to the PSA. 

1 9. The computen program product according to Claim 1, wherein the computer-readable 

2 program code means ror validating forther comprises: 

3 computer-readable program code means for performing a security fonction on the 

4 identifying secret of theaiser, wherein the security fonction comprises one of (i) a one-way 

5 hashing algorithm or (ii) an encryption algorithm; 

6 computer-readable program code means for using the user identifier to locate a 

7 previously-stored identifying secret of the user which was stored by the master registry; and 

8 computer-readable program code means for comparing the located identifying secret to a 

9 result of performing the security fonction. 

1 10. The computer program product according to Claim 1, wherein the computer-readable 

2 program code means for validating forther comprises computer-readable program code means for 

3 invoking an authenticated LDM* bind or other native authentication mechanism of the master 

4 registry, wherein the identifier olf the user and the identifying secret of the user are passed to the 
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master registry, thereby causing the master registry to validate the passed identifier and identifying 
secret and return a result which reports a success or failure of the validation. 



11. The compute* program product according to Claim 1, wherein the PSA has administrative 
authority for perfonnmg operations at the one or more target registries. 

12. The computer wogram product according to Claim 1, further comprising: 
computer-readable program code means for obtaming a new value fi-om the user to be 

used as the propagated iaentifying secret; and 

computer-readabldt program code means for substituting this new value for the identifying 
secret prior to operation of the computer-readable program code means for propagating. 

13. A system for securely propagating security credentials from a trusted master registry, 
comprising: i 

means for establishingla secure connection between a client and a password 
synchronization agent (PSA); 1 

means for transmitting &n identifier of a user and an identifying secret of the user to the 
PSA; 1 

means for validating the user with the trusted master registry using the transmitted user 
identifier and identifying secret; and 

means for propagating thelidentifying secret of the user to one or more target repositories 
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1 0 the validation succeeds. 

1 14. The system according to Claim 13, further comprising: 

2 means for Establishing a second secure connection between the PSA and the trusted 

3 master registry; ana 

4 means for using the second secure connection for the validating of the user. 

1 15. The system according to Claim 13, further comprising: 

2 means for estatflishing additional secure connections between the PSA and each of the 

Q I 

C= 3 target registries; and \ 

4 means for using the additional secure connections for the propagating of the identifying 

:^ 5 secret. \ 

\ 

M 1 16. The system accordmg to Claim 13, wherein the master registry stores password 

^ 2 synchronization policy infomnation, and wherein the means for propagating the identifying secret 

3 further comprises means for identifying the target registries using the stored password 

4 synchronization policy information for the user. 

1 17. The system according to Claim 13, wherein the master registry stores password 

2 synchronization policy information, and wherein the means for propagating the identifying secret 

3 further comprises means for identifying the target repositories using the stored password 




RSW9-2000.0044-US1 



synchronization policy information for a user group of which the user is a member. 

18. The system according to Claim 13, wherein the means for establishing the secure 
connection further ccmiprises means for authenticating the PSA to the client. 

19. The system according to Claim 14, wherein the means for establishing the second secure 
connection further contorises means for authenticating the master registry to the PSA. 

20. The system according to Claim 15, wherein the means for estabUshing additional secure 
connections further comprises means for authenticating the one or more target registries to the 
PSA. 

21 . The system accordimg to Claim 13, wherein the means for validating further comprises: 
means for performing a security fonction on the identifying secret of the user, wherein the 

security function comprises qne of (i) a one-way hashing algorithm or (ii) an encryption 
algorithm; 

means for using the usir identifier to locate a previously-stored identifying secret of the 
user which was stored by the nlaster registry; and 

means for comparing th^^ located identifying secret to a result of performing the security 
function. 
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1 22. The system ac(Jprding to Claim 13, wherein the means for validating further comprises 

2 means for invoking an authenticated LDAP bind or other native authentication mechanism of the 

3 master registry, wherein the identifier of the user and the identifying secret of the user are passed 

4 to the master registry, thereby causing the master registry to validate the passed identifier and 

5 identifying secret and return a result which reports a success or failure of the validation. 

1 23. The system according to Claim 13, wherein the PSA has administrative authority for 

2 performing operations at thi one or more target registries. 

1 24. The system according to Claim 13, fiirther comprising: 

2 means for obtaining alnew value fi^om the user to be used as the propagated identifying 

3 secret; and 1 

4 means for substituting this new value for the identifying secret prior to operation of the 

5 means for propagating. 1 

1 25. A method for securely propagating security credentials from a trusted master registry, 

2 comprising steps of I 

3 establishing a secure connection between a client and a password synchronization agent 

4 (PSA); 1 

5 transmitting an identifier off a user and an identifying secret of the user to the PSA; 

6 validating the user with theltrusted master registry using the transmitted user identifier and 



RSW9-2000-0044-US1 



-35- 



7 identifying secret; asnd 

8 propagating the identifying secret of the user to one or more target registries if the 

9 validation succeeds. \ 

1 26. The method according to Claim 25, fiirther comprising steps of 

2 establishing a seclond secure connection between the PSA and the trusted master registry; 

3 and \ 

4 using the second secure connection for the validating of the user. 

1 27. The method according to Claim 25, further comprising steps of 
f ^ 2 establishing additional secure connections between the PSA and each of the target 

jJi 3 registries; and \ 

4 using the additional secure connections for the propagating of the identifying secret. 

''4 \ 

i;^ 1 28. The method according tto Claim 25, wherein the master registry stores password 

~ 2 synchronization policy information, and wherein the step of propagating the identifying secret 

3 fiirther comprises the step of identifying the target registries using the stored password 

4 synchronization policy information for the user. 

1 29. The method according to Claim 25, wherein the master registry stores password 

2 synchronization policy information, and wherein the step of propagating the identifying secret 
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3 further compmes the step of identifying the target registries using the stored password 

4 synchronizati6n\policy information for a user group of which the user is a member. 

1 30. The method according to Claim 25, wherein the step of establishing the secure connection 

2 further comprises tl^e step of authenticating the PSA to the client. 

1 31. The method according to Claim 26, wherein the step of establishing the second secure 

2 connection further comprises the step of authenticating the master registry to the PSA. 

1 32. The method according to Claim 27, wherein the step of establishing additional secure 

2 connections fiirther comprises the step of authenticating the one or more target registries to the 

3 PSA. \ 

1 33. The method according to Claim 25, wherein the step of validating further comprises: 

2 performing a security mnction on the identifying secret of the user, wherein the security 

3 function comprises one of (i) a\one-way hashing algorithm or (ii) an encryption algorithm; 

4 using the user identifier to locate a previously-stored identifying secret of the user which 

5 was stored by the master registry: and 

6 comparing the located identifying secret to a result of performing the security fimction. 
1 34. The method according to ckim 25, wherein the step of validating fiirther comprises the 



RSW9.2000.0044-US1 



-37- 



• # 

2 step of invoking an aikhenticated LD AP bind or other native authentication mechanism of the 

3 master registry, wherein the identifier of the user and the identifying secret of the user are passed 

4 to the master registry, tnereby causing the master registry to validate the passed identifier and 

5 identifying secret and reium a result v^^hich reports a success or failure of the validation. 

1 35. The method according to Claim 25, wherein the PSA has administrative authority for 

2 performing operations at me one or more target registries. 

1 36. The method according to Claim 25, fiirther comprising steps of 

2 obtaining a new valuemrom the user to be used as the propagated identifying secret; and 

3 substituting this new vMue for the identifying secret prior to operation of the propagating 

4 step. \ 
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